A custom firmware for Asus routers

Changelog (Current)

Asuswrt-Merlin 384/NG Changelog

General changes in the 384/NG branch vs 380.xx:
   - Clear your browser cache after upgrading from 380.xx to 384.xx.
   - It's generally recommended to do a factory default reset
     when coming from 380 to 384/NG.
   - HDD spindown settings moved to the System settings page
   - SSL certificate management moved to the DDNS page for models
     that support Let's Encrypt
   - Nvram settings now have maximum lengths enforced, to protect
     against buffer overruns.  This means that some very long
     lists of settings might no longer be possible on 384.xx.

384.7 (xx-xxx-xxxx)
  - NOTE: The RT-AC3200 and RT-AC56U are not supported by this
          release, Asus hasn't released any updated code for these
  - NEW: Merged with GPL 384_21152.
  - NEW: Merged RT-AC87U binary blobs + SDK from 382_50702.
  - NEW: Replaced old ez-ipupdate DDNS client with inadyn.
         A plugin was developed to fully support Asus's DDNS
         Custom services can now be configured through ddns-start,
         inadyn.conf, inadyn.conf.add or inadyn.postconf.  See the
         inadyn documentation as many custom services can be defined
         for it.
  - NEW: Added support for freedns.afraid.org DDNS service to webui.
  - NEW: Added option to retrieve WAN IP from either the local
         interface (like before) or through a remote server
         (which works through double NAT) for DDNS.
  - NEW: Display DFS channel info on Wireless Log page.
  - NEW: Added option to disable checks on unsigned DNSSEC replies.
         Disabling these will speed up lookups, but it will also
         remove part of the security benefits of DNSSEC, so it
         should not be used unless you have a very specific reason
         to do so.
  - CHANGED: Updated curl to 7.61.1.
  - CHANGED: Updated wget to 1.19.5.
  - CHANGED: Updated openssl to 1.0.2p.
  - CHANGED: Updated dnsmasq to v2.80test4 (themiron).
  - CHANGED: Updated nano to 3.1
  - CHANGED: All DDNS services now use HTTPS.
  - CHANGED: Replaced Google Domains DDNS script with inadyn's own
  - CHANGED: Moved DNSFilter to the LAN section, to make it clear
             that it's unrelated to Trend Micro's engine.
  - CHANGED: Report hostname and IP on Wireless Log page if the
             info is missing from dnsmasq but available from
  - FIXED: Invalid dnsmasq config when setting DNSFilter to Router
           mode and having IPv6 enabled (themiron).
  - FIXED: dnsmasq crashing on RT-AC86U with IPv6 Stateful mode
  - FIXED: client table would be shown twice on the VPN Status
           page if the only connections to an OVPN server
           were invalid clients (like a port scanner)
  - FIXED: DDNS forced updates after "x" days wouldn't be
  - REMOVED: Ez-ipupdate DDNS client (replaced with inadyn).
             Update your scripts if you were relying on it.

384.6 (25-July-2018)
   - NOTE: The RT-AC87U is not supported in this release, as
           Asus hasn't released any updated code for that model.
   - NEW: Merged with GPL 384_21045/382_50624.
   - NEW: Added support for the "-p" option to netstat.
   - NEW: Added setting to enable DNS rebind protection, on the
          DHCP page.  This works by rejecting upstream server
          responses that would point at a private IP.
   - CHANGED: Updated nano to 2.9.8
   - CHANGED: Updated curl to 7.60.0 (contains security fixes)
   - CHANGED: Allow selecting text (for copy/paste operations)
              on AiProtection pages.
   - CHANGED: Added AES-*-GCM ciphers to the OpenVPN legacy
              ciphers (so they can be explicitely used without
              using NCP).
   - CHANGED: Updated dnsmasq to 2.80test2-17-g51e4eee (themiron)
   - CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
              DNS replies received with DNSSEC enabled are legitimate.
              If your upstream DNS doesn't support DNSSEC, this means
              all replies from signed zones will be considered
              invalid.  Make sure you only enable DNSSEC if your
              upstream DNS servers do support it.  This behaviour is
              a bit slower, but far more secure than the old default.
   - CHANGED: Network Tools -> Netstat output also report program/PID
   - CHANGED: Updated CA bundle to June 20th version.
   - FIXED: IPv6-related issues on non-HND platform (themiron)
   - FIXED: Couldn't log on WTFast if accessing the router
            webui over https.
   - FIXED: USB modem support code failing to properly pass
            parameters to the kernel module (themiron)
   - REMOVED: WTFast support for RT-AC88U/RT-AC3100/RT-AC5300,
              as it's incompatible with recent versions of
              curl (and has been broken for quite some time).
              Not gonna revert back to a 7 years old curl
              version just for wtfast.

384.5 (13-May-2018)
   - NEW: Merged withh GPL 384_20648
   - NEW: Merged RT-AC68U, RT-AC5300 binary blobs from 384_20648
   - NEW: Merged RT-AC86U SDK and binary blobs from 384_20648
   - NEW: service-event script, executed before any service
           call is made.  First argument is the event (typically
           stop, start or restart), second argument is the target
           (wireless, httpd, etc...).
           Note that this script will block the execution of
           the event until it returns.
   - NEW: Added USB HID modules (for use with devices such
          as UPS)
   - NEW: Added ip6tables-save command.
   - CHANGED: Updated OpenVPN to 2.4.6.
   - CHANGED: Updated Dropbear to 2018.76.
   - CHANGED: Updated Openssl to 1.0.2o.
   - CHANGED: Updated miniupnpd to version 2.1 (20180508).
   - CHANGED: Updated nano to 2.9.5.
   - CHANGED: Moved RT-AC86U to the same Busybox version (1.25.1)
              as other models.
   - CHANGED: Revised OpenVPN server options:
              o Removed "TLS Reneg time" (rarely used, can manually
                be set as a custom option)
              o Removed "Server Poll" (which didn't work
                properly), and reimplemented watchdog service,
                hardcoded to 2 mins frequency.
              o Removed "Push LAN" and "Redirect Gateway",
                replaced with new Client Access setting
              o Removed Firewall setting (firewall rules are now
                always created, and the broken External mode
                was fixed and integrated into the new Client
                Access setting).  You can now use the postconf
                script to override it.
              o Removed option to respond to DNS queries - enabling
                the option to Push DNS will also handle it
              o Added new Client Access setting to select between
                three types of access: LAN only, WAN only (will
                block access to the LAN, including the router
                itself) and LAN + WAN.
              o Keys and certificates can now be up to 7999
                characters long.

   - CHANGED: Revised OpenVPN client options:
              o Reorganized settings into groups
              o Removed "Poll Interval" (which didn't work
                properly), and reimplemented watchdog service,
                with a hardcoded frequency of 2 mins.
              o Removed Firewall setting (firewall rules are now
                always created).  You can now use the postconf
                script to override it.
              o Modified behaviour of Connection Retry.  Instead
                of taking a value in seconds that only affected
                resolution failure, it now takes a number of
                attempts, and affects connection failures.
                Resolution failures will now retry for an infinite
                period of time (the default OpenVPN value).
              o Added "refresh" link which can be clicked to
                re-query the public IP endpoint of the tunnel
              o Keys and certificates can now be up to 7999
                characters long.

   - CHANGED: Removed option to resolve names on the
              Log -> Connections page.
              That functionality was added to the
              Network Tools -> Netstat page instead.
   - CHANGED: Re-designed Log -> Connections page into a table
              with sortable fields - click on a column header to
              sort on that field.
   - CHANGED: From now on, setting the router to act as a master
              browser or a WINS server will also require you to
              enable sharing.  This will ensure that users understand
              that enabling either of these settings requires disk
              sharing to also be enabled (which it was already
              silently doing before).
   - CHANGED: Moved "Beta firmware" option to the Tools -> Other
              Settings page
   - CHANGED: Improved layout of the Firmware Update page
   - CHANGED: WPAD behaviour (sending a carriage return on
              DHCP option 252) can now be controlled in the
              Tweaks section.
   - CHANGED: Blocking custom scripts such as service-event
              and pre-mount will now wait a maximum of 120
              seconds before resuming normal operations, to
              prevent accidental lockouts.
   - CHANGED: Autofill start/end time for DST when selecting
              a timezone (LostFreq)
   - FIXED: Some dnsmasq issues related to DNSSEC were fixed,
            including CVE-2017-15107. (backported from
            dnsmasq 2.79 by John Bacho)
   - FIXED: Restoring an OpenVPN instance to default values
            would fail to disable its Start with WAN setting.
   - FIXED: Hardware authentication failure for the RT-AC3100
            and RT-AC5300.
   - FIXED: Minidlna web status page could no longer be enabled.
   - FIXED: CVE-2017-9022, CVE-2017-9023 and CVE-2017-11185 in
            Strongswan (odkrys)
   - FIXED: Various issues with download traffic in Traditional
            QoS (Cédric Dufour)
   - FIXED: TCP timeout values couldn't be changed on the
            Tools -> Other Settings page.
   - FIXED: Security issue related to webui logging in (Asus bug)

384.4_2 (24-Mar-2018)
   - CHANGED: Added visual warning when manually enabling webui
              access on WAN.  Doing so carries serious potential
              security risks, as Asuswrt's web server code should
              not be considered hardened enough for this.
   - FIXED: Security issue in httpd (CVE-2018-8879).
   - FIXED: Potential security issue in httpd related to QiS.
   - FIXED: Minor webui issue in the QoS overhead menu.

384.4 (16-Mar-2018)
   - NEW: Merged with GPL 384_20379 (with some binary components
          from 382_50010 and 384_20308 depending on models)
   - NEW: Added support for the RT-AC5300.
   - NEW: Added support for the RT-AC87U.
   - NEW: Added IPSEC support to the RT-AC86U.
   - NEW: Support the new Entware 64-bit repo on the RT-AC86U.
          To switch to the new repository, re-run the
          entware-setup.sh script.  You will need to reinstall
          your apps (your old config files are backed up on
          your USB disk).
   - CHANGED: Tightened security around some config files.
   - CHANGED: Allow guest networks settings for AP isolation
              and SSID broadcast to be set separately from
              their parent interface (John Bacho)
   - CHANGED: Samba protocol support can now be set to
              SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
              This will result in a performance drop on all
              models but the RT-AC86U, but will be more secure.
              Ideally, people should change it to SMBv2 only,
              and then reboot all their client devices to start
              using only the new protocol.
   - CHANGED: Re-added some of the logging sd-idle used to do
              in 380.xx.
   - CHANGED: Switched to the new Entware repo for armv7 models.
              To upgrade, run the following commands TWICE:

              opkg update; opkg upgrade

   - FIXED: Resetting an OpenVPN client to default settings
            might revert back after a reboot.
   - FIXED: log flood from lldpd about "unable to send packet
            on real device" (moved to debug level)
   - FIXED: Potential racing condition that could lead to two
            instances of miniupnpd running at boot time.
   - FIXED: Single-char hostnames were rejected by DHCP static
            leasees page. (theMIROn)
   - FIXED: AiCloud could sometime generate a new SSL certificate
            that would overwrite the one stored in jffs.  Now,
            AiCloud can also use the same one uploaded by the
            user for the main webui, or the Let's Encrypt one.
   - REMOVED: Telnet server.  Please use SSH for console-based
   - REMOVED: SNMP support on the RT-AC86U (incompatible)
   - REMOVED: Merlin NAT loopback mode (was increasingly
              problematic as the firmware firewall handling became
              more complex)

384.3 (14-Feb-2018)
   - NOTE: To reduce confusion following the version
           bump to 384, the current Github repository
           was renamed from asuswrt-merlin.382 to
           asuswrt-merlin.ng (for New Generation).
           It's recommended that you update your
           local repository if you're a developer,
           for example by running:

              git remote set-url origin \

   - NOTE: AiMesh is currently not supported.  Feasability of
           supporting it is still under evaluation.
   - NEW: Merged with GPL 384_10007
   - NEW: Added support for RT-AC3200 (merged
          SDK 7.x-main + binary blobs from 382_19466).
   - NEW: nano can now be configured through /jffs/configs/nanorc
   - CHANGED: Allow up to 5 OpenVPN clients on RT-AC3200.
   - CHANGED: Updated nano to 2.9.3.
   - FIXED: Some routers coming from 380.xx would incorrectly
            report a new firmware available at boot time.
   - FIXED: Some broken clients (like Samsung TVs) try to use
            reserved hostnames - ignore these.  (theMIRon)
   - FIXED: Added missing IPv6 local hostnames (theMIRon)
   - FIXED: Issues withh DNS & broadcast relay for pptp
            clients (theMIRon)
   - FIXED: Fixed CVE-2018-5721 in httpd (Merlin & theMIROn)
   - FIXED: helper.js wasn't properly handling parentheses
   - FIXED: NAT acceleration of PPPoE for some models (fix
            backported from 382_50010)
   - FIXED: Networkmap-related issues on some models (missing
            tx/rx rate and such).
   - FIXED: ipset could cause the router to crash on the HND
            platform (john9527)
   - FIXED: Network Service Filter wasn't working when in
            Blacklist mode.
   - FIXED: Repeater mode (backport from 384_20287)

382.2 Beta (17-Jan-2018)
   - NOTE: Due to various issues with GPL 382_18991, the 382.2
           release is being dropped, and work is moving on to the
           next version.  382.2 beta releases remain available
           for those who still wish to use it (especially RT-AC56U
           users for whom there is no ETA as to when Asus will
           release the next GPL for that particular model.)
           Known issues include lack of PPPoE HW acceleration and
           Adaptive QoS sometimes failing to start at boot among

   - NOTE: The official IRC channel has moved to
           Freenode (#asuswrt).

   - NEW: Merged with GPL 382_18991.
          Most notable changes (will vary between models):
            - Added IPSec VPN server
            - Added IFTTT and Alexa support
            - Let's Encrypt support (DDNS page)
            - Better support for some longer settings (RT-AC86U)
   - NEW: Merged HND SDK + binary components from 382_18848
   - NEW: Added IPSec VPN status on the VPNStatus page.
   - NEW: Added support for RT-AC56U and RT-AC68U
          (and all of its variants)
   - NEW: Enabled support for Let's Encrypt on RT-AC56U and
          RT-AC68U (in addition to RT-AC88U/3100)
   - CHANGED: Moved HTTPS cert management to the DDNS page (where
              Asus has put theirs, as Let's Encrypt is tied to
              the DDNS configuration)
   - CHANGED: Updated openssl to 1.0.2n.
   - CHANGED: Updated tor to
   - CHANGED: Updated nano to 2.9.1.
   - CHANGED: Updated curl to 7.57.0.
   - CHANGED: Increased max length for OpenVPN custom settings from
              170 to 510 characters on RT-AC86U.
   - CHANGED: Updated miniupnod to Github snapshot 20171212.
   - CHANGED: OpenVPN firewall rules are now processed after the
              various security chains (access restriction, network
              service firewall, etc...), ensuring OVPN traffic no
              longer bypasses them.
   - FIXED: httpd crash on certain web pages if there are no Ethernet
            clients connected
   - FIXED: DNSFILTER rules would have priority over OPENVPN Client
            rules (when client has DNS set to Exclusive mode).
   - FIXED: traffic routing from the router itself would fail when
            restarting the firewall while using an ovpn client with
            policy rules in effect.
   - FIXED: Dashes were rejected when used in an OpenVPN policy
            client description.
   - REMOVED: Removed option to select between active and passive
              scan mode for a site survey (that code is now closed
              source and therefore that option can no longer be

382.1_2 (2-Dec-2017)
   - NEW: Added custom/add/postconf support for mcpd.conf (RT-AC86U)
   - CHANGED: Updated odhcp6c to latest upstream version
              (patch by theMIRon)
   - CHANGED: cifs and xt_set kernel modules will get automatically
              loaded as needed.
   - CHANGED: Updated openssl to 1.0.2m.
   - CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5.
   - CHANGED: Merged wireless components from GPL 382_18991 for
              RT-AC88U and RT-AC3100 (should in theory fix KRACK
              issue on these two models)
   - FIXED: allow IA_NA mode downgrade with forced IA_PD
            (for ISPs with broken IPv6 support)
            (patch by theMIRon)
   - FIXED: SSH brute force protection would break WAN
            connectivity (RT-AC86U)
   - FIXED: Wrong Trend Micro signature updater was used when
            compiling with FW update checker enabled.
   - FIXED: QoS Upload chart missing on PPPoE connections with
            Adaptive QoS enabled.
   - FIXED: client and vendor id fields on WAN page would fail
            to accept new values longer than 32 characters.
   - FIXED: The Desc field in the OpenVPN policy section would
            reject ":" if field contained a MAC address.
   - FIXED: Security issues CVE-2017-15275, CVE-2017-12163 and
            CVE-2017-12150 (backported to Samba 3.6 and 3.5)
   - FIXED: DHCP static lease list would refuse any change if
            the list of leases+hostnames was longer than 1000
            chars due to an HND platform limitation (RT-AC86U)

382.1 (12-Nov-2017)
   Asuswrt-Merlin 382 was rebuilt from a clean GPL codebase, as
   merging the new 382 GPL on top of the existing code proved too

   For simplicity, the following abbreviations are used below:
      AM380 = Asuswrt-Merlin 380.xxx
      AM382 = Asuswrt-Merlin 382.xxx
      Asus380 = Asus's
      Asus382 = Asus's

   AM382.1 is based on AM380.68_4 merged on top of a clean GPL.

   At this time, only the RT-AC86U, RT-AC88U and RT-AC3100
   are supported by AM382.  Other models will gradually be
   moved to AM382 as Asus upgrade them to the new 382 code
   base (and GPL code becomes available for them).

   This changelog will focus on changes that happened between
   AM380.68 and AM382.1, or between Asus382_16466 and AM382.

   Also note that the primary download site was changed to
   Sourceforge, due to numerous issues with Mediafire.  Onedrive
   will be the oficial mirror to the SF.net download site.

   - NEW: Moved to Asus382 codebase.  Some of the most important
          changes between Asus380 and Asus382:
            - New Trend Micro DPI engine, with two-way IPS
            - New networkmap service (now closed source)
            - New OpenVPN implementation (now closed source,
              not used by AM382)
            - Numerous security enhancements throughout the code

   - NEW: Merged with GPL 382_16466 (RT-AC86U).
   - NEW: Added support for the RT-AC86U and its Broadcom HND
          platform (HND SDK from GPL 382_18219).
          Note that IPTraffic is not supported by this model due to
          its newer Linux kernel.
   - NEW: Rewrote part of the OpenVPN implementation, as Asus's own
          is now closed source.  Asuswrt-Merlin's OpenVPN code will
          now be independent of Asus's.
   - NEW: Added support for inline CRLs when importing an ovpn file
   - NEW: Added support for fullcone NAT (RT-AC86U)
   - NEW: Added WiFi Radar (Broadcom's Visualization app) in the
          Wireless section.  You must enable data collection on
          its Configuration page for all charts to work properly.
   - NEW: Added option to disable the Asus NAT tunnel service under
          Other Settings -> Tweak.  Not quite sure what this
          partly closed source service is for, but it eats a
          fair amount of CPU and RAM.
   - NEW: Option on OpenVPN Server page to quickly choose
          between pushing LAN or LAN + Internet access (ported
          from Asus382)
   - NEW: Option to select the bitsize to use (1024 or 2048) when
          automatically generating the OpenVPN server key/certs
          (ported from Asus382)
   - CHANGED: Updated wget to 1.19.2 (fixing connectivity to some
              TLS 1.2 servers)
   - CHANGED: SSH host keys are now stored in /jffs/ssl/ rather
              than nvram.
   - CHANGED: SMB2 is enabled by default on RT-AC86U (no performance
              penalty on that platform)
   - CHANGED: Moved UPnP Secure Mode setting from the Tweaks section
              to the WAN page, next to other UPnP settings.
   - CHANGED: Moved "Modify key and certs" link to its own dedicated
              row and made it a button for improved visibility
              (OpenVPN client & server pages)
   - CHANGED: Updated OpenVPN to 2.4.4.
   - CHANGED: The firmware version check behaviour was slightly
              changed.  The "Get Beta" checkbox will now check
              both the Beta and the Release channels for new
              version availability.  Automatic scheduled checks
              will still only check the Release channel.
   - CHANGED: Layout improvements to the SNMP, Login, and
              Operation Mode pages (patches by Alin Trăistaru)
   - CHANGED: Report both the local client IP as well as the
              public/visible IP on the OpenVPN client page once
              a client is connected (same info that was already
              available on the VPN Status page).
   - CHANGED: Moved Disk spindown settings to the System page,
              to match with Asus382 which now offers this feature.
   - REMOVED: Obsolete/exotic HMAC digests for OpenVPN servers (to
              match with Asus' own supported list)
   - REMOVED: "Custom" OpenVPN authentication mode (which probably
              nobody used or even understood).